Ntlm authentication doesn't work

I’m making a request in postman to an api that uses ntlm authentication, but postman gives up after it receives the initial 401. It never attempts to send any credentials to the server.

This is what I see in fiddler:


GET [url] HTTP/1.1
Content-Type: application/json
User-Agent: PostmanRuntime/7.1.5
Accept: /
Host: [host]
accept-encoding: gzip, deflate
Connection: keep-alive


HTTP/1.1 401 Unauthorized
Content-Length: 61
Content-Type: application/json; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate,NTLM
Date: Fri, 22 Jun 2018 10:25:40 GMT
Proxy-Support: Session-Based-Authentication

{“Message”:“Authorization has been denied for this request.”}

… and that’s it. Even though NTLM authentication is selected and I’ve entered my credentials, postman doesn’t make any attempt to send them. The url works fine in chrome, and I can see it’s successfully going through the ntlm authentication process after the initial 401.

This is using 6.1.3

@collider This bug is being tracked here https://github.com/postmanlabs/postman-app-support/issues/4711
Will update the thread once we have a fix for it.

I saw that bug but i get the same behaviour when the www-authenticate header in the response isn’t unified, so seemed different

@collider Could you share the logs when the header is not unified?

I’m running into this same issue. Where can I find the logs? I’ll send you what I have.

You can open the Postman console and then send the request having NTLM auth. There should be 3 requests logged in the console. Switch to the raw mode then copy everything and post it here

Here’s a screenshot on how it would look like

Sorry for the delay… I’ve had to replace the route and body with XXX, but this is the raw log details:

accept: /
accept-encoding: gzip, deflate
content-length: 1096
content-type: application/json
user-agent: PostmanRuntime/7.3.0
HTTP/1.1 401
status: 401
content-length: 0
date: Tue, 13 Nov 2018 12:10:14 GMT
proxy-support: Session-Based-Authentication
server: Microsoft-HTTPAPI/2.0
www-authenticate: NTLM

It only makes this initial request and doesn’t attempt to respond to the server’s request for NTLM auth. However if I make the same request using a c# app and monitor in fiddler, i see it authenticating successfully using NTLM over 3 requests, so the issue seems unique to postman.

Actually nevermind, i just noticed that the ‘disable retrying the request’ flag was checked. It works after disabling this, as long as NTLM is the only www-authenticate value